GENERAL: Remove magic quote functions

The path to magic quote sanity took a fun and exciting turn: PHP core removed it and WordPress updated the minimum version. For the formally external pclzip, the code is commented out to make investigating easier and in case we ever need to merge upstream (if that still exists) changes. Props ayeshrajans, jrf, jorbin. See #47783. Fixes #18322. git-svn-id: https://develop.svn.wordpress.org/trunk@46105 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Sep 13, 2019 · 08df15a · 08df15a
1 parent 53ec5e3
commit 08df15a
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 25 deletions.
diff --git a/src/wp-admin/includes/class-pclzip.php b/src/wp-admin/includes/class-pclzip.php
@@ -5326,6 +5326,10 @@ function privDisableMagicQuotes()
   {
     $v_result=1;
 
+	// EDIT for WordPress 5.3.0
+	// magic_quote functions are deprecated in PHP 7.4, now assuming it's always off.
+	/*
+
     // ----- Look if function exists
     if (   (!function_exists("get_magic_quotes_runtime"))
 	    || (!function_exists("set_magic_quotes_runtime"))) {
@@ -5344,6 +5348,7 @@ function privDisableMagicQuotes()
 	if ($this->magic_quotes_status == 1) {
 	  @set_magic_quotes_runtime(0);
 	}
+	*/
 
     // ----- Return
     return $v_result;
@@ -5360,6 +5365,10 @@ function privSwapBackMagicQuotes()
   {
     $v_result=1;
 
+	// EDIT for WordPress 5.3.0
+	// magic_quote functions are deprecated in PHP 7.4, now assuming it's always off.
+	/*
+
     // ----- Look if function exists
     if (   (!function_exists("get_magic_quotes_runtime"))
 	    || (!function_exists("set_magic_quotes_runtime"))) {
@@ -5376,6 +5385,7 @@ function privSwapBackMagicQuotes()
   	  @set_magic_quotes_runtime($this->magic_quotes_status);
 	}
 
+	*/
     // ----- Return
     return $v_result;
   }

diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
@@ -2713,10 +2713,6 @@ function untrailingslashit( $string ) {
  * @return string Returns a string escaped with slashes.
  */
 function addslashes_gpc( $gpc ) {
-	if ( get_magic_quotes_gpc() ) {
-		$gpc = stripslashes( $gpc );
-	}
-
 	return wp_slash( $gpc );
 }
 
@@ -4782,8 +4778,6 @@ function map_deep( $value, $callback ) {
 /**
  * Parses a string into variables to be stored in an array.
  *
- * Uses {@link https://secure.php.net/parse_str parse_str()} and stripslashes if
- * {@link https://secure.php.net/magic_quotes magic_quotes_gpc} is on.
  *
  * @since 2.2.1
  *
@@ -4792,9 +4786,7 @@ function map_deep( $value, $callback ) {
  */
 function wp_parse_str( $string, &$array ) {
 	parse_str( $string, $array );
-	if ( get_magic_quotes_gpc() ) {
-		$array = stripslashes_deep( $array );
-	}
+
 	/**
 	 * Filters the array of variables derived from a parsed string.
 	 *

diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php
@@ -925,13 +925,6 @@ function wp_set_internal_encoding() {
  * @access private
  */
 function wp_magic_quotes() {
-	// If already slashed, strip.
-	if ( get_magic_quotes_gpc() ) {
-		$_GET    = stripslashes_deep( $_GET );
-		$_POST   = stripslashes_deep( $_POST );
-		$_COOKIE = stripslashes_deep( $_COOKIE );
-	}
-
 	// Escape with wpdb.
 	$_GET    = add_magic_quotes( $_GET );
 	$_POST   = add_magic_quotes( $_POST );

diff --git a/src/wp-includes/rest-api/class-wp-rest-request.php b/src/wp-includes/rest-api/class-wp-rest-request.php
@@ -689,15 +689,6 @@ protected function parse_body_params() {
 
 		parse_str( $this->get_body(), $params );
 
-		/*
-		 * Amazingly, parse_str follows magic quote rules. Sigh.
-		 *
-		 * NOTE: Do not refactor to use `wp_unslash`.
-		 */
-		if ( get_magic_quotes_gpc() ) {
-			$params = stripslashes_deep( $params );
-		}
-
 		/*
 		 * Add to the POST parameters stored internally. If a user has already
 		 * set these manually (via `set_body_params`), don't override them.